Create fine-grained configuration permissions.

No more hard-coded isAdmin() checks.
2025-11-17 10:41:06 +01:00 · 2018-07-30 17:41:00 +02:00
parent df282ee6a9
commit 7572580ac1
20 changed files with 181 additions and 77 deletions
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/GlobalConfigResourceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/GlobalConfigResourceTest.java
@@ -10,6 +10,7 @@ import org.jboss.resteasy.mock.MockHttpResponse;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.ExpectedException;
 import org.mockito.InjectMocks;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.web.VndMediaType;
@@ -23,19 +24,22 @@ import java.util.Arrays;
 import java.util.HashSet;

 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.MockitoAnnotations.initMocks;

@SubjectAware(
-  username = "trillian",
-  password = "secret",
-  configuration = "classpath:sonia/scm/repository/shiro.ini"
+  configuration = "classpath:sonia/scm/configuration/shiro.ini",
+  password = "secret"
 )
 public class GlobalConfigResourceTest {

  @Rule
  public ShiroRule shiro = new ShiroRule();

+  @Rule
+  public ExpectedException thrown = ExpectedException.none();
+
  private Dispatcher dispatcher = MockDispatcherFactory.createDispatcher();

  private final URI baseUri = URI.create("/");
@@ -58,6 +62,7 @@ public class GlobalConfigResourceTest {
  }

  @Test
+  @SubjectAware(username = "readOnly")
  public void shouldGetGlobalConfig() throws URISyntaxException {
    MockHttpRequest request = MockHttpRequest.get("/" + GlobalConfigResource.GLOBAL_CONFIG_PATH_V2);
    MockHttpResponse response = new MockHttpResponse();
@@ -65,22 +70,22 @@ public class GlobalConfigResourceTest {
    assertEquals(HttpServletResponse.SC_OK, response.getStatus());
    assertTrue(response.getContentAsString().contains("\"proxyPassword\":\"heartOfGold\""));
    assertTrue(response.getContentAsString().contains("\"self\":{\"href\":\"/v2/config/global"));
-    assertTrue("link not found", response.getContentAsString().contains("\"update\":{\"href\":\"/v2/config/global"));
+    assertFalse("Update link present", response.getContentAsString().contains("\"update\":{\"href\":\"/v2/config/global"));
  }

-  @SubjectAware(
-    username = "dent"
-  )
  @Test
-  public void shouldGetForbiddenGlobalConfig() throws URISyntaxException {
+  @SubjectAware(username = "writeOnly")
+  public void shouldGetGlobalConfigOnlyWhenAuthorized() throws URISyntaxException {
    MockHttpRequest request = MockHttpRequest.get("/" + GlobalConfigResource.GLOBAL_CONFIG_PATH_V2);
    MockHttpResponse response = new MockHttpResponse();

+    thrown.expectMessage("Subject does not have permission [configuration:read:global]");
+
    dispatcher.invoke(request, response);
-    assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
  }

  @Test
+  @SubjectAware(username = "readWrite")
  public void shouldUpdateGlobalConfig() throws URISyntaxException, IOException {
    URL url = Resources.getResource("sonia/scm/api/v2/globalConfig-test-update.json");
    byte[] configJson = Resources.toByteArray(url);
@@ -102,11 +107,9 @@ public class GlobalConfigResourceTest {

  }

-  @SubjectAware(
-    username = "dent"
-  )
  @Test
-  public void shouldUpdateForbiddenGlobalConfig() throws URISyntaxException, IOException {
+  @SubjectAware(username = "readOnly")
+  public void shouldUpdateGlobalConfigOnlyWhenAuthorized() throws URISyntaxException, IOException {
    URL url = Resources.getResource("sonia/scm/api/v2/globalConfig-test-update.json");
    byte[] configJson = Resources.toByteArray(url);
    MockHttpRequest request = MockHttpRequest.put("/" + GlobalConfigResource.GLOBAL_CONFIG_PATH_V2)
@@ -114,8 +117,10 @@ public class GlobalConfigResourceTest {
      .content(configJson);
    MockHttpResponse response = new MockHttpResponse();

+    thrown.expectMessage("Subject does not have permission [configuration:write:global]");
+
+
    dispatcher.invoke(request, response);
-    assertEquals(HttpServletResponse.SC_FORBIDDEN, response.getStatus());
  }

  public static ScmConfiguration createConfiguration() {
--- a/scm-webapp/src/test/java/sonia/scm/api/v2/resources/ScmConfigurationToGlobalConfigDtoMapperTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/api/v2/resources/ScmConfigurationToGlobalConfigDtoMapperTest.java
@@ -51,7 +51,7 @@ public class ScmConfigurationToGlobalConfigDtoMapperTest {
  public void shouldMapFields() {
    ScmConfiguration config = createConfiguration();

-    when(subject.hasRole(Role.ADMIN)).thenReturn(true);
+    when(subject.isPermitted("configuration:write:global")).thenReturn(true);
    GlobalConfigDto dto = mapper.map(config);

    assertEquals("baseurl", dto.getBaseUrl());
@@ -63,7 +63,7 @@ public class ScmConfigurationToGlobalConfigDtoMapperTest {
  public void shouldMapFieldsWithoutUpdate() {
    ScmConfiguration config = createConfiguration();

-    when(subject.hasRole(Role.ADMIN)).thenReturn(false);
+    when(subject.hasRole("configuration:write:global")).thenReturn(false);
    GlobalConfigDto dto = mapper.map(config);

    assertEquals("baseurl", dto.getBaseUrl());